Abstract
We consider the problem of proving that a user has selected and correctly employed a truly random seed in the generation of her RSA key pair. This task is related to the problem of key validation, the process whereby a user proves to another party that her key pair has been generated securely. The aim of key validation is to pursuade the verifying party that the user has not intentionally weakened or reused her key or unintentionally made use of bad software. Previous approaches to this problem have been ad hoc, aiming to prove that a private key is secure against specific types of attacks, e.g., that an RSA modulus is resistant to elliptic-curve-based factoring attacks. This approach results in a rather unsatisfying laundry list of security tests for keys.
We propose a new approach that we refer to as key generation with verifiable randomness (KEGVER). Our aim is to show in zero knowledge that a private key has been generated at random according to a prescribed process, and is therefore likely to benefit from the full strength of the underlying cryptosystem. Our proposal may be viewed as a kind of distributed key generation protocol involving the user and verifying party. Because the resulting private key is held solely by the user, however, we are able to propose a protocol much more practical than conventional distributed key generation. We focus here on a KEGVER protocol for RSA key generation.
Chapter PDF
Similar content being viewed by others
Key words
References
IEEE Std. 1363-2000. Standard Specifications for Public-Key Cryptography. The Institute of Electrical and Electronics Engineers, 2000.
ANSI X9.31 2001. Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (X9.31). American National Standards Institute (ANSI), 2001.
M. Bellare, J.A. Garay, and T. Rabin. Fast batch verification for modular exponentiation and digital signatures. In K. Nyberg, editor, Advances in Cryptology —EUROCRYPT’ 98. Springer-Verlag, 1998. LNCS no. 1403.
D. Bleichenbacher. Addition chains for large sets, 1999. Unpublished manuscript.
D. Boneh and M. Franklin. Efficient generation of shared RSA keys. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 425–439. Springer-Verlag, 1997. LNCS no. 1294.
F. Boudot. Efficient proofs that a committed number lies in an interval. In B. Preneel, editor, Advances in Cryptology — EUROCRYPT’ 00, pages 431–444, 2000. LNCS no. 1807.
J. Boyar, K. Friedl, and C. Lund. Practical zero-knowledge proofs: Giving hints and using deficiencies. Journal of Cryptology, 4(3):185–206, 1991.
J. Camenisch and M. Michels. Proving that a number is the product of two safe primes. In J. Stern, editor, Advances in Cryptology —EUROCRYPT’ 99, pages 107–122. Springer-Verlag, 1999. LNCS no. 1592.
J. Camenisch and M. Stadler. Efficient group signature schemes for large groups. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 410–424. Springer-Verlag, 1997. LNCS no. 1294.
D. Catalano, R. Gennaro, and S. Halevi. Computing inverses over a shared secret modulus. In B. Preneel, editor, Advances in Cryptology — EUROCRYPT’ 00, pages 445–452. Springer-Verlag, 2000. LNCS no. 1807.
A. Chan, Y. Frankel, and Y. Tsiounis. Easy come-easy go divisible cash. In K. Nyberg, editor, Advances in Cryptology —EUROCRYPT’ 98, pages 561–575. Springer-Verlag, 1998. LNCS no. 1403. Revised version available as GTE tech. report.
L. Chen, I. Damgård, and T.P. Pedersen. Parallel divertibility of proofs of knowledge (extended abstract). In A. De Santis, editor, Advances in Cryptology — EUROCRYPT’ 94, pages 140–155. Springer-Verlag, 1994. LNCS no. 950.
R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols. In Y.G. Desmedt, editor, Advances in Cryptology — CRYPTO’ 94, pages 174–187. Springer-Verlag, 1994. LNCS no. 839.
A. de Santis, G. di Crescenzo, G. Persiano, and M. Yung. On monotone formula closure of SZK. In 35th Annual Symposium on Foundations of Computer Science (FOCS), pages 454–465. IEEE Press, 1994.
E. Fujisaki and T. Okamoto. Statistical zero knowledge protocols to prove modular polynomial relations. In B. Kaliski, editor, Advances in Cryptology — CRYPTO’ 97, pages 16–30. Springer-Verlag, 1997. LNCS no. 1294.
E. Fujisaki and T. Okamoto. A practical and provably secure scheme for publicly verifiable secret sharing and its applications. In N. Koblitz, editor, Advances in Cryptology — CRYPTO’ 98, pages 32–46. Springer-Verlag, 1998.
P.X. Gallagher. On the distribution of primes in short intervals. Mathematika, 23:4–9, 1976.
T. El Gamal. A public key cryptosystem and a signature scheme based on discrete logarithms. IEEE Transactions on Information Theory, 31:469–472, 1985.
R. Gennaro, D. Micciancio, and T. Rabin. An efficient non-interactive statistical zero-knowledge proof system for quasi-safe prime products. In Proceedings of the Fifth ACM Conference on Computer and Communications Security, pages 67–72, 1998.
N. Gilboa. Two party RSA key generation. In M. Wiener, editor, Advances in Cryptology — CRYPTO’ 99, pages 116–129. Springer-Verlag, 1999. LNCS no. 1666.
O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game. In STOC’ 87, pages 218–229. ACM Press, 1987.
A. Juels. SZKrange+: Efficient and accurate range proofs. Technical report, RSA Laboratories, 1999.
M. Liskov and B. Silverman. A statistical-limited knowledge proof for secure RSA keys, 1998. Manuscript.
M. Malkin, T. Wu, and D. Boneh. Experimenting with shared generation of RSA keys. In 1999 Symposium on Network and Distributed System Security (SNDSS), pages 43–56, 1999.
W. Mao. Verifiable partial sharing of integer factors. In Selected Areas in Cryptography (SAC’ 98). Springer-Verlag, 1998. LNCS no. 1556.
W. Mao and C.H. Lim. Cryptanalysis in prime order subgroups of Zn. In K. Ohta and D. Pei, editors, Advances in Cryptology — ASIACRYPT’ 98, pages 214–226. Springer-Verlag, 1998. LNCS no. 1514.
A.J. Menezes, P.C. van Oorschot, and S.A. Vanstone. Handbook of Applied Cryptography. CRC Press, 1996.
T. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In J. Feigenbaum, editor, Advances in Cryptology-CRYPTO’ 91, pages 129–140. Springer-Verlag, 1991. LNCS no. 576.
D. Pointcheval and J. Stern. Security proofs for signature schemes. In U. Maurer, editor, Advances in Cryptology — EUROCRYPT’ 96, pages 287–398. Springer-Verlag, 1996. LNCS 1070.
I. Damgård and E. Fujisaki. An integer commitment scheme based on groups with hidden order, 2001. IACR eArchive.
C.P. Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4:161–174, 1991.
A. Shamir. How to share a secret. Communications of the ACM, 22:612–613, 1979.
J. van de Graaf and R. Peralta. A simple and secure way to show the validity of your public key. In C. Pomerance, editor, Advances in Cryptology-CRYPTO’ 87, pages 128–134. Springer-Verlag, 1987. LNCS no. 293.
M. Wiener. Performance comparison of public-key cryptosystems. Cryptobytes, 4(1), 1998.
A.C. Yao. Protocols for secure computations (extended abstract). In FOCS’ 82, pages 160–164, 1982.
A. Young and M. Yung. Kleptography: Using cryptography against cryptography. In W. Fumy, editor, Advances in Cryptology-EUROCRYPT’ 97, pages 62–74. Springer-Verlag, 1997. LNCS no. 1233.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2002 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Juels, A., Guajardo, J. (2002). RSA Key Generation with Verifiable Randomness. In: Naccache, D., Paillier, P. (eds) Public Key Cryptography. PKC 2002. Lecture Notes in Computer Science, vol 2274. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45664-3_26
Download citation
DOI: https://doi.org/10.1007/3-540-45664-3_26
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-43168-8
Online ISBN: 978-3-540-45664-3
eBook Packages: Springer Book Archive